Security Checklist - Be Proactive and not Reactive

Hey MPU!

With all the news on various websites about home security, ring doorbells, hacking, etc. Can we as MPU put together a proper security checklist and outline steps for people? Rather than react to the news or react to hackers, how do we prevent this in the first place?

I am not by any means a security IT guru, I just know basics.

  • Use 1Password
  • Enable 2FA
  • Don’t reuse passwords

If anyone out there has lots of knowledge in this area, I would great benefit from it and I am sure many others would as well.

1 Like

I’d add that using 2FA with one-time codes (over SMS) is a good move.

2 Likes

Network:

  • Update network software frequently
  • Set strong admin password network equipment
  • Create guest network for guest and change that password frequently
  • Only allow WPA2 (enterprise for business) WiFi network and set a strong password
  • Disable UPnP on the router
  • Disable remote access to network equipment unless you know what you are doing
  • Divide and conquer by setting V-Lans for private - guest - iOT access
  • Set “Open DNS” on the router

Where possible, use an authentication app, soft token, or push notifications for the second factor. SMS 2FA is better than nothing, but can be intercepted by malware (on Android) or SIM swapping.

I’d add:

Use uBlock Origin in your browser to block ads (which can host malware) and domains associated with malware.

MacOS anti-virus isn’t all that useful, but scanning your machine from time to time for unexpected apps, libraries, other executables, and unexpected persistence is a good idea. I use KnockKnock (https://www.objective-see.com/products/knockknock.html).

The fine-grained authorization dialogs in Catalina are good for security in general, but can lead to dialog fatigue among users which malware can exploit. Pay attention to what you are allowing apps on your machine to do.

A signed app is no assurance that the app isn’t malicious.

Apple isn’t perfect, and the attackers are getting better. In particular, Fancy Bear – one of the Russian threat actors implicated in the attacks during the last presidential election – usually employs Powershell in email for the first stage of its attacks, but has started using python as well. Python is part of MacOS, so please exercise care with email carrying attachments or scripts.

Discovered this the hard way when Google Authenticator didn’t carry over set up for a new phone

1 Like

Like with everything it’s a matter of weighing your risks, and looking for a solution that works best for you.

These would be my basics ( might be a bit extreme):

  • Disable UPnP on your router
  • put all of your IoT devices on a separate network (*), and don’t worry about double NAT, has never given me any issues.
  • turn on auto update on all mobile devices
  • use 2FA wherever possible. And no: sms is NOT secure, just better than nothing.
    I avoid any service that still has sms, as it demonstrates poor security practices and lack of funding for security.
  • use 1Password or Lastpass or whatever password manager to create unique and long passwords (“strong” is so 1990’s, strength is in length)
  • Use macupdater on your macs to check for updates.
  • do not, under any circumstances, use a cloud product to check your doorbell or listen to your conversations. (f.e. Ring, Alexa, Google home etc. And yes I’ve disabled “hey Siri”)
    For me that would also include any service or product related to Amazon or Google.
    I prefer tunnelling in to my network via my router VPN, and getting a video feed from there without the cams being able to directly access the internet.
    And the doorbell? if I’m not at home, I don’t care. (in my country most packages are delivered to the supermarket for end of day pickup by the customer)

(*) links to an explanation for that router/IoT setup

3 Likes

Ouch. Sorry to hear that.

If you’re keen to give it another try, using Authy or 1Password for 2FA is a much better choice than Google Authenticator, because you can use them on a new device.

I use 2FA in various shared vaults where all the members of that shared vault can use the 2FA without a problem.

I’ve set up 1Password 2FA for one account (Github) but it doesn’t seem to sync on devices. Eg on my iMac I get the codes but not on my iPad. Should it work that way? What have I done wrong?

I’ve had this in the past. Is the password in a vault that is synced?
My vaults are on 1password.com, but in the past I still had a primary vault on one device that did not sync elsewhere.

Maybe check your sync settings, and the vault new pw’s are stored in by default.

Also in sync settings, check if all are set to the same service, I’ve seen family members devices sync to dropbox, and others to icloud. That way things are never in sync

It sounds like you saved it to a vault that does not sync, as @JKoopmans suggested.

If you are not using 1Password.com then you’ll have to set up sync on each device. I might be able to help but I’d need to know more info about how you are syncing.

See also http://support.1password.com.

1 Like

In general, SMS is no longer recommended as secure means of transmitting MFA data. At this point, my advice to my user community is that using SMS can actually decrease your security, since SIM jacking has become more commonplace.

The rule of thumb that serves me best lately (that has not yet been mentioned here) is: Don’t trust the network, ANY network. Ever. At all.

The corollary to that is that if it’s important and has to happen over the network, make sure that the transmission is encrypted end to end and that authentication and authorization are handled robustly.

Something that I think is often overlooked in security is that complexity is the enemy of security. Theoretically secure designs (especially network architectures) take a lot of care and feeding, and when you rely on them as defensive structures, that care and feeding is a place that has a tendency to fall victim to entropy. Keep things as absolutely simple as possible (but no simpler) and make as much happen automatically as possible and you will almost certainly be safer than under any other scenario.

True, but way better then nothing!

Most people are not of enough value to go trough the effort to hijack their sim.

Those who are a valuable target should definitely use 2FA with an app or better yet a password manager like 1Password.
And in very critical cases a hardware loken like a Yubikey.

Not, SMS is not better than nothing; it’s actually become worse. The problem is that it’s used as a means to validate your identity and it’s easily subverted. That means that something that is intended to be a securing mechanism actually becomes a very effective attack vector. Ask Jack Dorsey about how SMS based MFA worked out for him :wink:

1 Like

We’ll have to agree to disagree. It’s being used more and more as a means to defraud everyday people 'round these parts.

Don’t get me wrong, MFA is a very, very good idea, but SMS based 2FA has become a means to conduct fraud. Your own NIST recommends against using it.

Not true. NIST is a standards body, but their target audience is not just the Federal government.

@ACautionaryTale - I see where you’re going with all of the zero trust speak, but most of these are home/personal networks. Not that what you’re saying isn’t valid. Just a bit much IMHO.

Deleting my honest attempts to help

I was trying to avoid using the phrase “zero trust” :slight_smile: My thinking here, though, is that it may be much easier for laypersons to adopt that kind of philosophy than to build (and more importantly, maintain) home networks with proper segregation and access controls, especially in the face of the number of Internet of Crappy Things devices that are showing up everywhere.

People who refer to Internet connectivity as “the WiFi” probably aren’t going too enthusiastic about talk of VLANs, ACLs, or layer 3 boundaries :stuck_out_tongue: There is no way I could ever get my parents to begin to understand stuff like that, but they sure do want that “smart” thermostat.

1 Like